Proxy Error 502 "Error reading from remote server" Apache 2.4.18 Ubuntu with HTTPS into Docker container

Question

I'm no expert and can't see what's the problem, but obviously this error is caused by a tiny detail it seems I can't debug. Any idea?

What I have: I have multiple virtual hosts configured with Apache2 that manage trafic to different websites. All with https thanks to Let'sEncrypt certbot and it works fine.

Apache 2.4.18 (Ubuntu) Server: Ubuntu 16.04 Docker version: 19.03.5

What i'm trying to do:

I want to add a docker container to the mix while keeping my current configuration with Apache. I know I can use someting like nginx reverse companion and I already do on another server but I don't want to in this case.

On this setup I'm trying to configure a virtual host acting as reverse proxy in Apache that will redirect traffic into the corresponding Docker Container (running a Wordpress container as a test but I would want to do that with multiple applications in the future). I know it's in French but i found this guy that tries to do exactly the same thing as me here

What I did:

I did about the same thing as in the tutorial linked above.

• Docker-compose file:

version: '3.3'

services:

    wordpress:
        depends_on:
            - db
        container_name: ${CONTAINER_WP_NAME}
        image: wordpress:${WORDPRESS_IMAGE}
        ports:
#            - 8080:80
            - 8081:443
        restart: always
        environment:
            WORDPRESS_DB_HOST: ${CONTAINER_DB_NAME}:3306
            WORDPRESS_DB_USER: ${MYSQL_USER}
            WORDPRESS_DB_PASSWORD: ${MYSQL_PASSWORD}
            WORDPRESS_DB_NAME: ${MYSQL_DATABASE}
            WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX}
        volumes:
            - ${WP_CORE}:/var/www/html
            - ${WP_CONTENT}:/var/www/html/wp-content
            - ./docker/config/vhost.conf:/etc/apache2/sites-enabled/vhost-ssl.conf
            - /etc/letsencrypt:/etc/letsencrypt:ro

• config/vhost file for container

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName mydomaine.tld

        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on

        SSLCertificateFile /etc/letsencrypt/live/mydomaine.tld/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mydomaine.tld/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/mydomaine.tld/chain.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

    </VirtualHost>
</IfModule>

• sites-availabe/mydomaine.conf for apache2

<VirtualHost *:80>

       ServerName mydomaine.tld
       ProxyPreserveHost On

       ProxyPass / http://localhost:8081/ retry=1 acquire=3000 timeout=600 Keepalive=On
       ProxyPassReverse / http://localhost:8081/
       ProxyPassReverseCookieDomain localhost mydomaine.tld


       ErrorLog /srv/logs/error/mydomaine.log
       CustomLog /srv/logs/access/mydomaine.log combined


RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomaine.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

• sites-available/mydomaine-le-ssl.conf for apache2

<IfModule mod_ssl.c>
<VirtualHost *:443>

       ServerName mydomaine.tld
       ProxyPreserveHost On

       SSLProxyEngine On
       SSLProxyVerify none
       SSLProxyCheckPeerCN off
       SSLProxyCheckPeerName off
       SSLProxyCheckPeerExpire off

       ProxyPass / https://localhost:8081/ retry=1 acquire=3000 timeout=600 Keepalive=On
       ProxyPassReverse / https://localhost:8081/
       ProxyPassReverseCookieDomain locahost mydomaine.tld

       ProxyRequests Off

       ErrorLog /srv/logs/error/slice.log
       CustomLog /srv/logs/access/slice.log combined


       SSLCertificateFile /etc/letsencrypt/live/mydomaine.tld/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/mydomaine.tld/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/mydomaine.tld/chain.pem
       Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

My problem: Without SSL it works fine but once I activate SSL and plug into the 443 port to connect to the website via HTTPS, I have 502 Proxy Error in the browser:

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request

Reason: Error reading from remote server

And the website logs return this error:

AH00898: Error reading from remote server returned by /
AH01102: error reading status line from remote server localhost:8081

What I tried:

I read almost every issue on this kind of error and could not debug it. I see this user has exactly the same errors as me, but his solution did not solve my problem. I tried using 80 AND 443 ports in the docker container but it does not change anything; without redirection http:// works but not https://. Everytime I have the same error.

I activated the necessary and recommanded packages and I don't have any other error than those I described.

Answer 1

It might be that you have an issue with iptables. Docker creates its own rules for iptables. In my case I used iptables-persistent to save the rules, but also the docker rules got saved. This is a problem, because docker usualy creates different rules on each start.

Here is description of my problem and the solution: Docker connectivity issue due to conflict with iptables-persitent

Answer 2

Another possible issue:

Missing "ProxyPreserveHost On" in the virtual host.

This is not the case in the original question, since it contains this directive, but it might help someone else with similar problem.

Answer 3

I've also digged deep around the web and tried all solutions and suggestions that I could find to date.

The error in the log does not give much of a pointer but what solved it for me was adding a directive allowing some deprecated ciphersuites for the proxied server, apache coyote in my case.

Add SSLProxyCipherSuite directive. https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyciphersuite

Values can be cut and pasted from here: https://wiki.mozilla.org/Security/Server_Side_TLS

Probably try Cipher suites (TLS 1.0 - 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA

And see if it gets things running and harden up from there.